ClawHub

SubsTracker

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for SubsTracker, but it uses account credentials, persistent session cookies, broad auto-invocation, deletes, and notification secrets in ways users should review before installing.

Install only if you trust the SubsTracker server and will run this skill from trusted directories. Keep all `SUBSTRACKER_*` values in one protected config source, avoid cwd overrides, treat `.env` and CLI flags as secrets, clear the saved cookie when changing servers, and require explicit user confirmation before deletes, password changes, config updates, or notification tests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger language is extremely broad, directing use of the skill for almost any mention of subscriptions, bills, renewals, reminders, or related Chinese phrases, even when the user does not explicitly reference SubsTracker. This increases the chance of unintended invocation of a networked, credential-using skill in contexts where the user may only be asking a general question, causing unnecessary account access or external actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This section tells users to place `SUBSTRACKER_USER` and `SUBSTRACKER_PASS` in `.env` and says scripts auto-load them, but it does not warn that these are sensitive credentials or explain safe handling expectations. In a skill that also manages notification integrations and admin configuration, lack of explicit credential-safety guidance meaningfully raises the risk of accidental exposure or unsafe use.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documented commands include destructive operations such as `s delete`, payment deletion, config changes, and toggling account state, but no warning is given about irreversible effects or the need for confirmation. In an agent setting, omission of deletion safeguards can turn an accidental or ambiguous request into real data loss or service disruption.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The config update and notification test commands can send data and secrets to external endpoints such as Telegram, webhook, Bark, WeChat, Gotify, and email, but the skill provides no warning that these actions transmit data off-system. This is dangerous because users or agents may test or configure notifications without realizing they are exposing tokens, identifiers, or message content to third parties.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The session cookie from the Set-Cookie header is written in plaintext to a predictable file under the user's home directory without setting restrictive file permissions or using an OS credential store. Local attackers, other processes running as the same user, or accidental backups/log collection could recover the cookie and hijack the authenticated session.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal